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Abstract: We present a comprehensive analysis of the Johnson (like) noise based classical key-distribution scheme presented by 
Kish [1]. We suggest two passive attack strategies that enable an adversary to gain complete knowledge of the exchanged key. 
The first approach exploits the transient response of the voltage in the transmission line after the resistors are switched and the 
second one exploits the finite impedance of the wire connecting the two parties. 
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1. Introduction 

Highly secure communication channels are 
essential elements for numerous present and 
contemplated applications. Classical encryption 
schemes utilizing one-way functions offer only 
computationally hard security, and therefore, their 
security can be compromised, at least in principle. 

Quantum key-distribution systems (QKDS) 
represent a different approach enabling, in principle, 
unconditionally secure key-distribution based on the 
laws of quantum mechanics. Although completely 
secure, QKDS pose major technological challenges 
which limit significantly the key-establishing rates 
(<100kHz) and the achievable ranges (< 120km). 

Recently, a classical KDS scheme utilizing Johnson 
noise in resistors was suggested by Kish [1]. A 
schematic of the concept is shown in Fig. 1. Roughly 
speaking, the security of the system is based on the 
inability of an adversary (Eve) to distinguish between 
two symmetrical cases (R A =R , Rb=Ri and R A =Ri, 
Rb=Ro) using only passive measurements. 

We start by noting that the analysis given in [1] for 
the voltage and current noise density spectra, contains a 
basic flaw. It completely ignores the finite propagation 
time between the sender (Alice) and the receiver (Bob) 
and the finite resistance of the wire connecting them. 
When the analysis is carried out taking into account 
the, inevitable, time delay and the resulting transients, 
or the impedance of the wire, we find that the system 
becomes vulnerable to eavesdropping, thus invalidating 
the basic premise of [1]. The analysis leading to the 
stated conclusion follows. 

Referring to Fig. 1, we assume that the wave 
impedance and length of the transmission line (TL) 
connecting Alice and Bob are given by Z and L 
respectively. For simplicity, we assume the 
transmission line is dispersion-less. The voltage and 
current along the transmission line are given by a 
superposition of forward and backward propagating 
waves [2]: 

V(l,t) = V + (l,t)+V-(lj) 
l{l,t)=fr + {l,t)-V{l,t)]/Z 

At steady- state, because of the random voltage 
signal generated by the sources, the forward and 



(1) 



backward propagating waves at (0, t) due to, say Alice' s 
source, consist of a (infinite) series of time delayed 
signals emitted at t-2nv. 




FIG. 1 . Schematic of the classical key-distribution 
system proposed by Kish. 

7 ■xi 



v A (o,t) = 



J «=0 



(2) 



where V A (t) is the random signal generated by the 
source at Alice's end, ris the propagation time along 
the TL, and T A and T B are respectively the reflection 
coefficients at Alice and Bob's ends defined as: 

r=^l, j = AB 0) 

' Rj+z 

When one of the parties (say, Alice) switches the 
resistor (and source) on her side, the abrupt change in 
the boundary conditions (BC) generates a voltage (and 
current) wave which propagates toward Bob. If Eve 
measures the noise spectral density at an asymmetric 
point on the TL (e.g., close to Alice's end), she can 
detect this voltage wave and infer Alice's bit. 

For simplicity, we pick a specific scenario in which 
for ?<0, both Alice and Bob have R terminate their end 
of the TL. At ?=0 Alice switches Ri on (see Fig. 2). The 
analysis of the other possibilities is essentially identical 
leading qualitatively to similar conclusions. We divide 
the analysis into two cases: 1) The signal propagation 
time along the line is much longer than the correlation 
time of the noise generators (or the Johnson noise), i.e., 



the system is a distributed system. 2) The signal 
propagation time along the line is much shorter than 
the correlation time of the noise generators, i.e., the 
system is a lumped system. The analysis described by 
Kish [1] is restricted to the second case and, as shown 
in the following analysis, this restriction is crucial 
because it practically eliminates the possibility of 
utilizing wide bandwidth noise source such as the 
Johnson noise. 



1=0 




l=L 



FIG. 2. Determining the exchanged bit by transient 
analysis of the transmission line. 

2. Case 1 - sources with short correlation time 

In this section we assume that 
<V A {t)V A {t')>=S„-W-R A where W is the scaling factor 
connecting the impedance of the resistor and the 
variance of the corresponding noise source (for 
Johnson noise Wis given by AkT). Because the sources 
V A and V B are independent, the overall noise spectral 
density measured by Eve is the sum of the separate 
contribution of each of them. Using (2) and (3) we find 
that the noise voltage spectral density measured at 1=0 
(i.e. close to Alice's end) for t<0 due to Alice's source 
is given by: 

v WR ° Z ° i w (*°- z q) 4 . (4) 

S " Al - 0h (R 0+ Z o y + 8Z [z> 0+ Rt) 

where in order to sum the infinite series we used the 
assumption that the signal correlation time is very 
short. It should be noted that the end points of the TL 
(i.e. 1=0, l=L), are unique because some of the terms of 
V* and V add coherently. At an arbitrary point /' along 
the TL, the forward and backward waves due to Alice's 
source are given by: 



v A (i\t)- 
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-{-V A (t + T') + 
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where ■f is the signal propagation time from 1=0 to 
/=/'. Except for the middle point of the TL (/=z/2), the 
terms in (5) add incoherently and the noise spectral 
density generated by Alice's source at V is given by: 

WR A Z B (z 2 +R 2 B ) (6) 

2(Zo +R A R B pt A +R B ) 
The contribution of Bob's source at /' for is 
evaluated similarly yielding a similar expression where 



R A and R B are interchanged. Note, that for the 
symmetric case R A =R B , the overall noise spectral 
density measured at /' is given by Z W/2, i.e., 
completely independent of the resistors value. This 
outcome demonstrates explicitly the importance of 
propagation effects along the TL. In contrast with 
Kish's result (eq. (4) in [1]), in the symmetric case the 
adversary cannot gain knowledge of the bit values 
selected by Alice and Bob. 

At a first glance, the last conclusion seems to allow 
Alice and Bob to increase their key-establishing rate by 
a factor of two because secure communication can take 
place even in the symmetric case. However, when 
Alice and/or Bob switch their resistors (and sources), 
the change creates electromagnetic waves that travel 
towards Alice and Bob and can be detected by Eve and 
used to determine the exchanged bit. 

Returning to the specific example, at t<0, the 
voltage spectral density measured by Eve at some point 
along the line is: 

S„(/') = {WZ (7) 

When Alice switches Rj on, at time t, the abrupt change 
in the BC generates a voltage (and current) wave which 
propagates toward Bob at a velocity of V p =L/z. This 
wave consists of two contributions: 1) The new noise 
source, associated with Rj, connected by Alice and 2) 
A change in the reflection coefficient of the left 
propagating wave (V) at Alice's end. Since the signals 
generated by Alice and Bob's noise sources are not 
correlated, we can calculate the contribution of each 
source separately and sum them to obtain the power 
density spectra. The voltage measured by Eve at /=/' 
and t>f due to Alice's source is, therefore: 

v(l\t)=— i -^rkv i A {t-r l )+ 



Z +R, 



(8) 



(Z () -fl 1 )v-(0,r-T')}+V-(r,f) 
Note, that the three terms in (8) are mutually 
incoherent. Again, for simplicity, we analyze only the 
first pass of these waves in the transmission line (which 
is the most dominant one), showing that Eve can learn 
of the exchanged bit by detecting the change of the 
voltage generated by these waves. From (8), the noise 
spectral density due to Alice's source is: 



wz f D 7 , (R -z y{z: t +R:) \ (9 ) 

4(Z 2 +/J 2 ) J 
It should be emphasized that (9) holds only for 
?<t<2z-f, i.e., before the reflection of the emitted 
signal from Alice's (new) source from Bob's end 
reaches l=V . The contribution of Bob's source to the 
noise spectral density at l=V is due to the change in the 
reflection coefficient at 1=0 and is given by: 

WR l Z a (R +Z ) 2 (10) 

'4(z 2 +fl 2 Xtf 1 +Z ) 
The sum of (9) and (10) yields the over all noise 
spectral density measured by Eve: 

WZ f 2+ : g 1 Z^g L + zJ | (11) 
2{R l+ Z y\ ' 2{Z 2 +R 2 ) 
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Comparing (11) to (7) we find that at t=i? after 
Alice switched Rj on), the overall voltage noise 
spectral density measured by Eve changes by a 
quantity equal to the second term in the RHS of (11). 
In addition, because the contributions of R and Rj to 
that term are not symmetric, Eve can determine 
whether Alice switched her resistor from R to Rj or 
vice versa. Thus, by monitoring the temporal evolution 
of the noise density or <V 2 > at two points along the TL 
(one closer to Alice and the other closer to Bob), Eve 
can determine which resistors (and sources) were 
selected by Alice and Bob and gain complete 
knowledge of the exchanged bit. 

3. Case 2 - sources with long correlation time 

In this section we assume, as in [1], that the 
bandwidth of the noise sources is narrow, i.e., the 
voltage of the sources does not vary much during the 
propagation time r. Under this assumption, the steady- 
state analysis in [1] is accurate because the system is 
practically a lump system. However, when Alice and/or 
Bob switch their resistors, the assumption of the 
narrow bandwidth sources (and hence, the lumped 
circuit approximation) becomes invalid. Assuming the 
two sources are uncorrelated, i.e., V, 1 " 4 ' (/) * V,," 11 (/) and 
V l (B) (t)^Vg B) (t), switching from, say, R to Rj 
generates a voltage discontinuity which propagates in 
speed V p towards the other side. Thus, similar to case 1, 
by monitoring the temporal evolution of the voltage at 
two points along the TL (one closer to Alice and the 
other closer to Bob), Eve can determine whether Alice 
and/or Bob switched their resistors (and sources) and 
gain complete knowledge of the exchanged bit. Note, 
that unlike case 1, Eve's measurement cannot reveal 
whether the switching was from R to Rj or vice versa. 
Nevertheless, when an identical resistors scenario 
(Ra=Rb) occurs, which on average happens with 
probability of 0.5, Eve can determine the value of the 
resistors and use this information to evaluate the 
previous and subsequent key bits. 

Finally, we show that Eve can also exploit the finite 
resistance of the wire connecting Alice and Bob to 
determine the value of R A and R B (and consequently the 
exchanged bit) even without resorting to temporal 
analysis. 

Referring to Fig. 3, we assume that Eve measures 
the voltage and current at an asymmetrical point along 
the wire, i.e., R wl ^R m . The corresponding voltage and 
current noise density spectra of Eve measurement are 
given by: 

l v 2 \ _ W[R A -(R b +R w2 ) + R b - (R a +R m )] 

W (R A+ R B+ R w2+ R m ) (12) 

(ll)=, W ^ +R ^ Af 
\ 1 (R A +R B +R W2 +R W1 ) 

The current noise spectral density can be used to 

determine the sum of R A and R B which indicates 

whether they are identical or not. For the relevant case, 

i.e. R a ^Rb, Eve can use the voltage noise spectral 

density to distinguish between the two possibilities 



(R A =Ro, Rb=Ri or vice versa) and determine the 
exchanged bit. 




FIG. 3. Determining the exchanged bit using the 
resistance of the transmission line. 

As a concrete example, let us consider a key 
distribution system employing a 100km long copper 
wire having a 1mm diameter. The corresponding 
impedance of this wire is ~2kQ. This resistance is non- 
negligible and, depending of Eve's ability to accurately 
measure the density spectra, it allows her to determine 
Alice and Bob's selection of resistors. 

To conclude, we study the security level provided 
by the key-distribution scheme suggested by Kish [1]. 
While at steady state it is impossible to determine the 
resistors configuration, we show that an adversary can 
gain complete knowledge of the exchanged bits by 
using a passive attack strategy exploiting the fmiteness 
of the impedance of the wire connecting Alice and 
Bob, or the transient response of the system after the 
resistors have been switched at the end of one (or 
more) of the parties. The vulnerability of Kish's 
scheme to the later is crucial because the transient 
response of the system cannot be eliminated, thus 
preventing Alice and Bob from obtaining any level of 
secure key distribution. 

Although the specific scheme suggested by Kish 
turns out, eventually, to be vulnerable to passive 
attacks, the underlying idea is interesting and worth 
pursuing. While classical key-distribution systems, 
which are based on other principles, may not be able to 
provide unconditional security, they may provide 
technological or practical security. Unlike QKDS, 
classical systems do not require single photon sources 
and detectors, thus allowing secure communication to 
take place over longer ranges with greater key- 
establishing rates using currently available components 
and technologies. Such systems may prove to be both 
an efficient intermediate solution for secure key- 
distributions as well as a complementary technology to 
QKD, especially for long haul links. 
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A recent preprint published by Kish [2] included a response to our criticism of the "Kirchoff-Loop-Johnson-Noise" 
system [1]. We have a few short comments that will conclude our involvement in this issue. 

1) The response [2] does not address numerically or analytically any of points we raised. 

2) Kish claims that "...the Scheuer -Yariv manuscript does not identify any security holes in the idealized 
(mathematical) case of the KLJN cipher". Indeed our main point is that the neglect of wire resistance, propagation 
delay and the coherence time of noise-like signals renders the mathematical model useless as an approximation of 
reality. We have quantified our arguments. We will appreciate a numerical/analytical response as an appropriate to 
a scientific discussion. 

3) We completely agree with Kish [2] that ". . .only generic comments have been published and a thorough analysis 
of the practical security design aspects the KLJN cipher is still missing. . .". 
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